CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 2CVE-2021-23362 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2021-23362
23 Mar 2021 — The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity. El paquete hosted-git-info anterior a la versión 3.0.8 es vulnerable a la Denegación de Servicio por Expresión Regular (ReDoS) a través de la expresión regular shortcutMatch en la función fromUrl en index.js. La expresión regular afectada muestra una com... • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2020-7754 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2020-7754
27 Oct 2020 — This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters. Esto afecta al paquete npm-user-validate versiones anteriores a 1.0.1. La expresión regular que comprueba los correos electrónicos de los usuarios tardó exponencialmente más en procesar cadenas de entrada largas que comienzan con caracteres @ Node.js is a software development platform for building fast and scalable network app... • https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 1CVE-2020-15095 – Sensitive information exposure through logs in npm cli
https://notcve.org/view.php?id=CVE-2020-15095
07 Jul 2020 — Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>". The password value is not redacted and is printed to stdout and also to any generated log files. Las versiones de la CLI npm anteriores a 6.14.6, son susceptibles a una vulnerabilidad de exposición de información por medio de archivos de registro. La CLI admite las URL como "://[[:]@][:][:][/]". • https://github.com/ossf-cve-benchmark/CVE-2020-15095 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2019-16777 – Arbitrary File Overwrite in npm CLI
https://notcve.org/view.php?id=CVE-2019-16777
13 Dec 2019 — Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using t... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-269: Improper Privilege Management •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2019-16776 – Unauthorized File Access in npm CLI before before version 6.13.3
https://notcve.org/view.php?id=CVE-2019-16776
13 Dec 2019 — Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.7EPSS: 0%CPEs: 8EXPL: 0CVE-2019-16775 – Unauthorized File Access in npm CLI before before version 6.13.3
https://notcve.org/view.php?id=CVE-2019-16775
13 Dec 2019 — Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignor... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html • CWE-20: Improper Input Validation CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7408
https://notcve.org/view.php?id=CVE-2018-7408
22 Feb 2018 — An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue. Se ha descubierto un problema en un prelanzamiento de npm 5.7.0 2018-02-21 (ma... • http://blog.npmjs.org/post/171169301000/v571 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 2%CPEs: 95EXPL: 0CVE-2016-3956
https://notcve.org/view.php?id=CVE-2016-3956
02 Jul 2016 — The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers. La CLI en npm en versiones anteriores a 2.15.1 y 3.x en versiones anteriores a 3.8.3, tal como se utiliza en Node.js 0.10 en versiones anteriores a 0.10.44, 0.12 en versiones anteriores a 0.12.13, 4 en versiones ante... • http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •